Professional Documents
Culture Documents
FG-AI4H-I-036
TELECOMMUNICATION
STANDARDIZATION SECTOR ITU-T Focus Group on AI for Health
STUDY PERIOD 2017-2020 Original: English
WG(s): Plenary E-meeting, 7-8 May 2020
DOCUMENT
Source: Editors
Title: Updated DEL2.2: Guidelines for AI based medical device: Regulatory
requirements (Draft: April 2020)
Purpose: Discussion
Contact: Luis Oala Email: luis.oala@hhi.fraunhofer.de
HHI Fraunhofer
Germany
Contact: Christian Johner Email: christian.johner@johner-institut.de
Johner Institute for Healthcare IT
Germany
Contact: Pradeep Balachandran Email: pbn.tvm@gmail.com
Technical Consultant (eHealth)
India
Abstract: This document contains the latest draft of the FG-AI4H deliverable DEL2.2
"Guidelines for AI based medical device: Regulatory requirements". This
deliverable defines a set of guidelines intended to serve the AI solution
developers/manufacturers on how to do conduct a comprehensive requirements
analysis and to streamline the conformity assessment procedures to ensure
regulatory compliance for the AI based Medical Devices (AI-MD).
-3-
FG-AI4H-I-036
I n t e r n a t i o n a l T e l e c o m m u n i c a t i o n U n i o n
ITU-T FG-AI4H
Deliverable
TELECOMMUNICATION
STANDARDIZATIONSECTOR
OFITU
(draft 2020-04-14)
FG AI4H DEL2.2
Guidelines for AI Based Medical Device-
Regulatory Requirements
-4-
FG-AI4H-I-036
Summary
This technical paper defines a set of guidelines intended to serve the AI solution developers/
manufacturers on how to do conduct a comprehensive requirements analysis and to streamline the
conformity assessment procedures to ensure regulatory compliance for the AI based Medical
Devices (AI-MD). This set of guidelines gives prime priority to the factor of patient safety and
focuses on a streamlined process for risk minimization and quality assurance for AI based health
solutions. The proposed set of guidelines adopts, extends and leverages the best practices and
recommendations provided by international medical device regulatory agencies such as the IMDRF
and the FDA. These guidelines are devoid any legally binding or statutory requirements applicable
to any specific regulatory framework or specific geographic jurisdiction
Keywords
[Regulatory Checklist, Software-as-a-Medical Device, AI based Medical Devices]
Change Log
This document contains Version 1.0 of the FG-AI4H deliverable on "Guidelines for AI based
Medical Devices - Regulatory Requirements" approved at the ITU-T Focus Group on Artificial
Intelligence for Health meeting held in Geneva, dd-ddMMMM YYYY.
Email: pgg@has.com
Peter. G. Goldschmidt
WORLD DEVELOPMENT GROUP, Inc.,
USA
Email: xushan@caict.ac.cn
Shan Xu
China Academy of Information and
Communications Technology (CAICT)
China
Email: sven.piechottka@merantix.com
Sven Piechottka
Merantix Healthcare
Germany
-7-
FG-AI4H-I-036
CONTENTS
Page
1 Scope.......................................................................................................................................10
2 References...............................................................................................................................10
List of Tables
Page
Table 1: Process requirements............................................................................................................20
Table 2: Competencies requirements.................................................................................................21
Table 3: Intended use requirements....................................................................................................22
Table 4: Intended users and intended context of use requirements....................................................24
Table 5: Stakeholder requirements.....................................................................................................25
Table 6: Inputs to risk management and clinical evaluation requirements........................................27
Table 7: Functionality and performance requirements.......................................................................29
Table 8: Userinterface requirements...................................................................................................31
Table 9: Additional software requirements........................................................................................31
Table 10: Risk management & clinical evaluation requirements.......................................................32
Table 11: Data collection requirements..............................................................................................34
Table 12: Data annotation requirements.............................................................................................37
Table 13: Data pre-processing requirements......................................................................................38
Table 14: Documentation and version control requirements..............................................................40
Table 15: Model preparation requirements........................................................................................41
Table 16: Model training requirements..............................................................................................42
Table 17:Model evaluation requirements...........................................................................................43
Table 18: Model documentation requirements...................................................................................45
Table 19: Software development requirements..................................................................................47
Table 20: Accompanying materials requirements..............................................................................49
Table 21: Usability validation requirements......................................................................................52
Table 22: Clinical evaluation requirements........................................................................................53
Table 23: Product release requirements..............................................................................................55
Table 24: Production, distribution and installation requirements.......................................................56
Table 25:Post-market surveillance requirements...............................................................................58
Table A.1: IMDRFEP 5.1 – General..................................................................................................64
-9-
FG-AI4H-I-036
List of Figures
Page
Figure 1: AI-MD Classification Criteria & Scope..............................................................................13
Figure 2(a): Regulatory roadmap-AI-medical device scope..............................................................14
Figure 2(b): Regulatory roadmap- AI4H project deliverables scope.................................................15
Figure 3: Product development life-cycle process (V-model)............................................................16
Figure 4: AI Software life-cycle diagram...........................................................................................16
Figure 5: Structure of the regulatory guidelines.................................................................................18
ITU-T FG-AI4H Deliverable 2.2
Summary
Artificial intelligence based technologies find extensive use in medical applications and the
proliferation of AI at scale in global health holds great potential to significantly improve
accessibility, quality, and cost-effectiveness of healthcare delivery and outcomes. Regulation plays
an important role in ensuring the safety of patients and users, and in the commercialization and
market acceptance of these AI based medical devices (AI-MD).Therefore, a streamlined and
systematic regulatory compliance process can help to expedite the regulatory approval and to
reduce the time-to-market for these products. Software is an important aspect of AI based medical
devices and as per The International Medical Device Regulators Forum (IMDRF), a 'Software as a
Medical Device (SaMD)' is defined as a software intended to be used for one or more medical
purposes that perform these purposes without being part of a hardware medical device, where
'medical purposes' include treatment, diagnosis, cure, mitigation, or prevention of disease or other
conditions.
Since Artificial intelligence based technologies are data driven, they have the ability to learn from
real-world feedback data and thus improve and adapt their performance over time. Because of these
characteristics, they are identified and classified as belonging to the class of continuous learning
systems. The complexity introduced by these changes affects the clinical functionality, clinical
performance specifications and safety of the medical device, and may introduce new risks or even
lead to modification of existing risks. The fact that many of the AI processes are not transparent
(black box phenomenon) also places barriers to acceptance. These characteristics raise important
technological, methodological, ethical, privacy, security, and regulatory issues and there is an
absolute need for reasonable assurance mechanisms to maintain and/or improve the performance,
compatibility, safety and effectiveness of the medical devices.
Apart from these device-oriented issues, there are other challenges that include a lack of universally
accepted policies and guidelines for regulation of AI based medicals devices, which create barriers
for these type of devices to scale-up at the global level. Many medical devices companies do not
have proper awareness of regulatory standards and thus fail to assess the potential implications of
safety, ethical and legal risks There is a need for proper guidance mechanisms to educate and train
medical device manufactures to work to regulatory guidelines applicable to AI based devices.
Current regulatory requirements are generally designed to evaluate more conventional medical
devices, and there is also need for regulatory policies and guidelines to be tailored for AI based
medicals devices. Regulatory frameworks need to adopt a full product lifecycle approach that
facilitates continual product improvement in an iterative and adaptive manner in conformance to the
appropriate standards and regulations. Furthermore, regulators and manufacturers must establish a
system to ensure transparency and accountability of all the processes involved in AI medical device
development. To aid manufactures meet these requirements, AI4H FG proposes a comprehensive
set of guidelines on how to conduct a regulatory review process for pre-market and post-market
product performance assessment and reporting. The main aim of these guidelines is to safeguard
patient safety as its first priority through a streamlined process for manufacturers that will help
ensure that products benefit patients by promoting health and minimizing risk. The proposed set of
guidelines adopts, extends and leverages best practices and recommendations provided by the
international medical device regulatory agencies such as the IMDRF and the FDA.
- 11 -
FG-AI4H-I-036
1 Scope
This document defines a set of guidelines intended to serve the target audience with adequate
guidance on how to do conduct a comprehensive requirements analysis and to streamline the
conformity assessment procedures to ensure regulatory compliance for the AI for Medical Devices
(AI-MD)
Primary and secondary audience…
The scope of AI-MD, in this context, DO include (a) medical devices with or without enforcement
of regulations, (b) Software-as-a-Medical Device (SaMD) or Software-in-a-Medical Device (SiMD)
and (c) healthcare applications intended to improve medical outcomes or efficiency of healthcare
system
The scope of AI-MD, in this context, DOES NOT include software applications for (a)healthcare
facility administrative support, (b) for maintaining or encouraging healthy lifestyle, behaviour and
wellness
This set of guidelines complements existing quality practices, recommendations and standards
developed by national and international medical device regulatory organizations including ISO,
IEC, FDA, etc. within the AI-MD regulatory domain and is DOES NOT replace or conflict with
their respective regulatory processes and standards
This set of guidelines DOES NOT include any legally binding or statutory requirements applicable
to any specific regulatory framework or specific geographic jurisdiction
2 References
The following list of reference documents were reviewed as part of broad literature survey towards
the design of the proposed regulatory requirements guidelines, considering aspects of regulations,
standards, guidelines, best-practices, directives and laws that are relevant in the context of AI-MD
Objectives
The objective of this guideline is to provide target users with instructions and to provide them with
a concrete checklist to
– understand what the expectations of the regulatory bodies are,
– to promote step-by-step implementation of safety and effectiveness of Artificial Intelligence /
Machine Learning (AI/ML) Based Software as Medical Device,
– to compensate for the lack of a harmonized standard (in the interim) to the greatest extent
possible.
Figure 2(a) shows the generic as well as the AI specific aspects that need to be considered under the
regulatory roadmap of medical devices. From Figure 2(a), it can be inferred that AI-MD, as
continuous learning or adaptive systems, are subject to modifications throughout its lifecycle and
this result in unforeseen outcomes for the device including change of core device functionality and
risk levels. These aspects pose additional challenges to the device manufacturers in terms of
managing rapid development cycles, frequent software update and distribution cycles. Hence
change management considerations tailored for AI-MDs are expected to have appropriate level of
controls to manage these changes
Figure 2(b) shows the relevant AI-MD specific deliverables produced as part of the AI4H FG
project. It can be seen that these AI4H deliverables include the necessary product development life-
cycle processes that support the regulatory roadmap scope for AI-MDs. Document identifiers of
AI4H deliverables are listed in Table-G- AI4H Project Deliverable Reference ID (Annex G) for
further reference.
To facilitate continual product improvement in an iterative and adaptive manner with conformance
to appropriate standards and regulations, it becomes imperative for any regulatory framework to
establish a system that can ensure transparency and accountability of all the life cycle processes
involved in AI-MD development. A brief rationale is provided here on the need for a product
lifecycle development process-oriented approach that forms the basis of the proposed regulatory
requirements guidelines
- 17 -
FG-AI4H-I-036
– Apart from compliance verification, V-model gives thrust to software process improvement
and supports integration of best practice for process improvement to achieve improved
software quality, performance, safety, and effectiveness of medical device.
1
Standard Operating Procedure. All SOPs have to be approved and be under version control.
- 22 -
FG-AI4H-I-036
"Outliers" processing
techniques include
– deleting the data set
– correcting the value
– setting the value to a set
value (min/max),etc.
Examples of unusable datasets
may include:
– x-rays of poor quality as
specified in the technical
exclusion criteria or
patients/persons who do not
meet the patient inclusion
criteria. etc.
ML models included
– Linear Regression
– Logistic Regression
– k-nearest neighbours
– Decision Trees
– Random Forest
– Gradient Boosting
Machines
– XGBoost
– Support Vector Machines
(SVM)
– Neural Network
– k means clustering
– Hierarchical clustering
– Neural Network including
Convolutional Neural
Network (CNN),
Recurrent Neural
Networks (RNNs) and
Long Short-Term Memory
Networks (LSTMs)
– Apriori algorithm
– Eclat algorithm
- 47 -
FG-AI4H-I-036
- Classic algorithm in
comparison to a machine
learning model.
- 56 -
FG-AI4H-I-036
- There is a documentation of
the model.
If the manufacturer plans Product Release FDA: Proposed
to market its product in the - There is a "Software as a Regulatory Framework
US market it should Medical Device Pre- for Modifications to
compile the respective Specifications “(SPS) that Artificial
documentation. anticipates changes to the Intelligence/Machine
product. Learning (AI/ML)-Based
Software as a Medical
- There is an “Algorithm Device (SaMD)
Change Protocol (ACP)”that
specifies howthese changes
for systems will be performed
- 57 -
FG-AI4H-I-036
5.1.5 a) appropriately reduce the risks related to the features of the medical device and IVD medical device and the Risk reduction; Intended usage
environment in which the medical device and IVD medical device are intended to be used (e.g. ergonomic/usability environment
features, tolerance to dust and humidity) and
5.1.5 b) give consideration to the technical knowledge, experience, education, training and use environment and, where Consider user knowledge
applicable, the medical and physical conditions of intended users.
5.1.6 The characteristics and performance of a medical device and IVD medical device should not be adversely affected to Stress resistance; Intended use;
such a degree that the health or safety of the patient and the user and, where applicable, of other persons are Expected life of device
compromised during the expected life of the device, as specified by the manufacturer, when the medical device and
IVD medical device is subjected to the stresses which can occur during normal conditions of use and has been
properly maintained and calibrated (if applicable) in accordance with the manufacturer's instructions.
5.1.7 Medical devices and IVD medical devices should be designed, manufactured and packaged in such a way that their -
characteristics and performance, including the integrity and cleanliness of the product and when used in accordance
with the intended use, are not adversely affected by transport and storage (for example, through shock, vibrations,
and fluctuations of temperature and humidity), taking account of the instructions and information provided by the
manufacturer. The performance, safety, and sterility of the medical device and IVD medical device should be
sufficiently maintained throughout any shelf-life specified by the manufacturer.
5.1.8 Medical devices and IVD medical devices should have acceptable stability during their shelf-life, during the time of Stability; Shelf life
use after being opened (for IVDs, including after being installed in the instrument), and during transportation or
dispatch (for IVDs, including samples).
5.1.9 All known and foreseeable risks, and any undesirable side-effects, should be minimized and be acceptable when Risk; Side-effects
weighed against the evaluated benefits arising from the achieved performance of the device during intended
conditions of use taking into account the generally acknowledged state of the art.
- 67 -
FG-AI4H-I-036
Table A.3: IMDRFEP 5.8 – Medical devices and IVD medical devices that incorporate software or are software as a medical device
Table A.5: IMDRFEP 5.12 – Protection against the risks posed by medical devices and IVD medical devices intended by the manufacturer for
use by lay users
Annex B:
IMDRFSaMD Risk Categorization Framework
The IMDRFpublication "Software as a Medical Device: Possible Framework for Risk
Categorization and Corresponding Considerations"characterizes the medical devices by assigning
different risk levels to them based on combination of the significance of the information provided
by the SaMD to the healthcare decision and the healthcare situation or condition as shown in Table
B.1.
The four categories (I, II, III, IV) shown in Table B.1 are based on the levels of impact on the
patient or public health where accurate information provided by the SaMD to treat or diagnose,
drive or inform clinical management is vital to avoid death, long-term disability or other serious
deterioration of health, mitigating public health.
The categories are in relative significance to each other. Category IV has the highest level of
impact, Category I the lowest
The criteria for determining (a) SaMD category and (b) Levels of Autonomy are explained as
follows.
– SaMD that provides information to inform clinical management for a disease or conditions in
a critical situation or condition is a Category II and is considered to be of medium impact.
The criteria for determining whether anSaMD is Category I are:
– SaMD that provides information to drive clinical management of a disease or conditions in a
non-serious situation or condition is a Category I and is considered to be of low impact.
– SaMD that provides information to inform clinical management for a disease or conditions in
a serious situation or condition is a Category I and is considered to be of low impact.
– SaMD that provides information to inform clinical management for a disease or conditions in
a non-serious situation or condition is a Category I and is considered to be of low impact
Annex C:
Johnerregulatory guidelines for AI- for medical devices
The Johner Guideline for AI-MDs is prepared and released by the JohnerInstitute,Germany.The
guideline is published under the Creative Commons License of type BY-NC-SA.This document is
managed via the version management system git or the GitHub platform. Only the documents listed
in this repository are valid. Full documentation of Johner Guidelines can be found at:
https://github.com/johner-institut/ai-guideline/blob/master/Guideline-AI-Medical-Devices_EN.md.
Annex D:
FG-AI4H data and AI solution quality assessment criteria
Data and AI solution quality assessment criteria were formulated by the ITU-T Focus Group on AI
for Health's DAISAM Working Group,following the data and FGAI4H-F-032-A01: Data and AI
solution assessment methods, governed by FGAI4H-F-103: Updated FG-AI4H data acceptance and
handling policy.
Based on these criteria, a quality assessment questionnaire was prepared to serve as a preliminary
checklist intended to guide the various AI4 Health Topic Groups in following a uniform procedure
for preparing the data and AI solution technical requirements specifications and submitting them in
a common reporting format.
This DAISAM quality assessment questionnaire includes a glossary that contains definitions for
technical terms specific to data and AI solution quality criteria.This is provided to guide the FG-AI4
Health Topic Groups in interpreting the quality assessment checklist in a clear and concise manner
and in mapping the respective technical requirement specifications.
The data and AI solution quality assessment criteria are listed in Table D.1
Table D.1:FG-AI4H data and AI solution quality assessment criteria
and the sandbox domain, imply that there could be various training
techniques including distributed training. Complex models that are
chained (or derived) may in fact be trained using varied data. The
performance of such models can be determined and compared in the
sandbox domain using a simulator.Based on comparisons, operators can
then select the model for specific use cases. This can be used in
conjunction with the MLFO to reselect the model. Note: evaluation may
involve network performance evaluation along with model performance.
Relevance for Healthcare / Sounds like previous point, monitoring of model outcomes
Assessment Sven (MXH)
- 84 -
FG-AI4H-I-036
Annex F:
DIN SPEC 92001-AI devices life cycle processes requirements
Artificial Intelligence – Life Cycle Processes and Quality Requirements – Part 1: Quality
Meta Model;
1. Introduction
Challenge: For these reasons, quality assessment of an AI module still poses a major challenge. It
becomes more difficult to confirm, verify, and validate an AI module during conception,
development, deployment, operation, and retirement which are wide-ranging tasks.
Abstract: This document introduces an AI quality meta model to outline key aspects of AI quality
including the previously mentioned AI quality pillars. For AI quality analysis, an approach for risk
evaluation and a suitable software life cycle are provided. The given AI life cycle is consistent with
the international standard for systems and software engineering. The second part of this
specification, DIN SPEC 92001-2, provides specific AI quality requirements.
Scope
For the purposes of this document, the following terms and definitions apply.
DIN and DKE maintain terminological databases for use in standardization at the following
addresses:
The key quality characteristics, the so-called quality pillars, that need to be taken into account
throughout the whole life cycle of an AI module, are functionality & performance, robustness and
comprehensibility. These three quality pillars are not fully disjoint. For instance, robustness may be
conceived as part of functionality & performance, since the adaptation to unknown environments
can be a functionality requirement in a given application. In this way, AI modules are divided into
two risk classes. In the following, AI modules with safety, security, privacy, or ethical relevance are
summarized in components with (potentially) high risk and the latter in components with low risk.
For high risk AI modules, a deviation from the quality requirements is either not permitted or is to
be justified, while for low risk AI modules this is less strict.
This document, each AI module is considered to be either of high or low risk or it is assumed that a
mapping of internal risk classes to high risk and low risk, respectively, is carried out. For safety,
security, privacy, or ethically relevant AI modules this document requires the consideration of all
listed quality requirements. Potential deviations of such AI modules need a profound justification.
1. AI parts Module of the and AI Software quality metamodel System are Relation
Software systems are composed of interacting system elements, where each has its own purpose and
requirements, respectively. The AI module is one of these elements that consist of AI methods and
algorithms, respectively. As an element of the software system, it relates to and interacts with other
elements such as hardware, software or data and with the surrounding environment such as humans.
Henceforth, this document focuses on the quality assurance of AI artifacts within the software
system. These artifacts can be hybrid systems. It is required to keep in mind that further standards,
requirements, and regulations can apply to the overall software system and consequently to the AI
- 86 -
FG-AI4H-I-036
module. In order to give a framework for DevOps of trustworthy AI modules, a quality metamodel
is proposed and described in this document.
2. Risk Evaluation
Risk-
Description
grade
3. Life Cycle
1. General
a) Organizational project-enabling processes: This part is important to concept and provides each
asset to make the project work and obtain all the expectations of company stakeholders. Most
processes within this group are only slightly affected by new challenges introduced by AI.
Nevertheless, the user of this document needs to evaluate whether changes to existing processes are
required. For instance, ways in which these processes need to be refined include establishing quality
evaluation criteria that are applicable to functionality & performance, robustness, and
comprehensibility of AI modules.
b) Technical management processes: “are concerned with managing the resources and assets
allocated by organization management and with applying them to fulfill the agreements into which
the organization or organizations enter [...]. In particular they relate to planning in terms of cost,
timescales and achievements, to the checking of actions to help ensure that they comply with plans
and performance criteria and to the identification and selection of corrective actions [...]”.
Additionally, specific measures with respective quality criteria need to be defined that allow
evaluating if the AI module satisfies functionality & performance, robustness, and
comprehensibility criteria.
c) Technical processes: “transform the needs of stakeholders into a product or service by means of
technical actions throughout the life cycle”. They ensure that sustainable performance and overall
quality is reached when the AI module is applied. This is the group of processes that is mostly
affected by AI-specific challenges. An important aspect that needs to be considered within the
system analysis process is, for instance, to ensure the needed extent of interpretability of the AI
module.
Agreement processes is a part of process group but IN THIS DOCUMENT, authors did not use.
Agreement processes “are organizational processes that apply outside of the span of a project’s life,
as well as for a project’s lifespan. Agreements allow [...] to realize value and support business
strategies for […] organizations.” [3]. While agreement processes apply to the overall software
system, they bear no reference to one software component and AI-specific challenges. Thus, this
DIN SPEC does not include agreement processes.
3. AI Quality Pillars
The document introduces an approach to cover a sufficiently wide spectrum of AI-related software
quality aspects and to emphasize the importance of AI-specific requirements. It enables the
development and implementation of performance, robust, safe, and trustworthy AI modules.
3 parts of quality assurance is the life cycle, influencing factors, and three quality pillars. The
project manager needs to join different points like the influencing factors environment, platform,
data, and model. It raises awareness of possible quality issues that can arise during the different life
- 92 -
FG-AI4H-I-036
cycle stages and processes of the AI module. The points to consider when the project manager in
the life cycle is guided by the three quality. All requirements for quality assurance are collected in
these quality characteristics. Thus, the AI quality meta model covers all aspects of AI quality
assurance.
Bibliography
Annex G:
AI4H Project Deliverable Reference
____________________________